Executive Summary:
On October 1, 2012, the White House confirmed the Chinese government (4th Department of General Staff of the People’s Liberation Army or 4PLA) hacked into the White House Military Office in charge of protecting the remote access nuclear launch codes. This White House entity is known as the office responsible for the President's "Football" and other inter-government communication involving senior intelligence officials. The "Football" is the small briefcase sized suitcase carried by a trusted military aide never more than a few feet away from the President at all times. The Football's purpose is to give the Commander in Chief direct access to the U.S. military's nuclear arsenal in the event of a preemptive strike by an another country against the United States.
The article states Chinese hackers used "a spear phishing attack against an unclassified network" in order to gain access to top secret information. However, in this instance, a senior White House official said the "attack was identified, the breach was isolated and there was no indication whatsoever that any ex-filtration of data took place because of mitigation countermeasures." Regardless of whether the administration was telling the truth concerning how much sensitive information was compromised, to allow another country to get so close to some of the United States' most closely guarded top secret information is alarming.
Analysis
"Spear phishing" is a technique utilized by hackers to gain access to a network in order to acquire sensitive information such as usernames, passwords, trade secrets, patent or other top secret information. Initially, hackers do this by sending mal-ware masquerading as legitimate electronic communication from a trustworthy source. Often an official looking electronic message is sent to a very targeted group of people in hopes at least one person will open the email, follow the instructions and provide an ex-filtration of data sought.
Spear phishing attacks are usually propagated by one of three different methods. These methods include 1) insertion of malicious code through a contaminated compact flash drive or directed email message from an outside source to an unsuspecting target; 2) breach by a trusted insider, as in the case of the documents leaked to WikiLeaks; or 3) through compromised security encryption used for remote access to secured networks, as occurred with the recent compromise involving the security firm, RSA. Tighter internal controls may be able to reduce the frequency of spear phishing attacks, but often IS administrators must guard against a weak link clicking on the suspicious email and infecting the network (1). Unfortunately, the weak link only needs to be one person who falls for an authentic-looking email and opens the attachment. The other two methods (2 and 3) are much harder to detect and generally are not found until after the attack has taken place.
In the case of the White House Military Office hacking, the danger of non-detection until the spear phishing attack has already commenced is three-fold. If
4PLA were to deploy mal-ware and start extracting sensitive information China's government could 1) use it during future conflicts to intercept top secret presidential communications, 2) locate the president for assassination targeting purposes or 3) disrupt strategic command and control messages from the president to U.S. forces abroad. As in the case of protecting remote top secret military communication, all White House security measures implemented are not available for public consumption. So it is important to focus on general best practices to avoid being victimized (listed below).
IT professionals offer up the following basic solutions to avoid falling victim to spear fishing attacks: 1) Delete all suspicious email, 2) Contact IT system security with any question if unsure of a message's authenticity, 3) Immediately report all incidents, 4) Look for email digital signatures, 5) Configure Intrusion Detection Systems to block malicious domains and IP addresses and 6) Ensure antivirus software and definitions are up to date.
One advanced solution involves using network security tools that have access to all electronic communication. These "smart" security systems learn normal communication for each individual and recognize unusual email that may be suspicious. Challenges arise as IT professionals try to develop natural language algorithms like Phalanx (a new product developed by GTRI) which attempt to separate spear phishing attacks from harmless emails. Occasionally important electronic communication is lost because the algorithm labels the email an attack because the message's author encourages the recipient to "open the attached file" or "download the new software update." Two other more advanced solutions include administering mitigation countermeasures and maintaining a properly configured mal-ware detection program. A properly configured mal-ware detection program should prompt the user attempting to navigate to a questionable site to be sure the source is trustworthy. In many cases, this action will cause the user to navigate away from the suspicious site or once the link has been clicked, block the attack.
On October 1, 2012, the White House confirmed the Chinese government (4th Department of General Staff of the People’s Liberation Army or 4PLA) hacked into the White House Military Office in charge of protecting the remote access nuclear launch codes. This White House entity is known as the office responsible for the President's "Football" and other inter-government communication involving senior intelligence officials. The "Football" is the small briefcase sized suitcase carried by a trusted military aide never more than a few feet away from the President at all times. The Football's purpose is to give the Commander in Chief direct access to the U.S. military's nuclear arsenal in the event of a preemptive strike by an another country against the United States.
The article states Chinese hackers used "a spear phishing attack against an unclassified network" in order to gain access to top secret information. However, in this instance, a senior White House official said the "attack was identified, the breach was isolated and there was no indication whatsoever that any ex-filtration of data took place because of mitigation countermeasures." Regardless of whether the administration was telling the truth concerning how much sensitive information was compromised, to allow another country to get so close to some of the United States' most closely guarded top secret information is alarming.
Analysis
"Spear phishing" is a technique utilized by hackers to gain access to a network in order to acquire sensitive information such as usernames, passwords, trade secrets, patent or other top secret information. Initially, hackers do this by sending mal-ware masquerading as legitimate electronic communication from a trustworthy source. Often an official looking electronic message is sent to a very targeted group of people in hopes at least one person will open the email, follow the instructions and provide an ex-filtration of data sought.
Spear phishing attacks are usually propagated by one of three different methods. These methods include 1) insertion of malicious code through a contaminated compact flash drive or directed email message from an outside source to an unsuspecting target; 2) breach by a trusted insider, as in the case of the documents leaked to WikiLeaks; or 3) through compromised security encryption used for remote access to secured networks, as occurred with the recent compromise involving the security firm, RSA. Tighter internal controls may be able to reduce the frequency of spear phishing attacks, but often IS administrators must guard against a weak link clicking on the suspicious email and infecting the network (1). Unfortunately, the weak link only needs to be one person who falls for an authentic-looking email and opens the attachment. The other two methods (2 and 3) are much harder to detect and generally are not found until after the attack has taken place.
In the case of the White House Military Office hacking, the danger of non-detection until the spear phishing attack has already commenced is three-fold. If
4PLA were to deploy mal-ware and start extracting sensitive information China's government could 1) use it during future conflicts to intercept top secret presidential communications, 2) locate the president for assassination targeting purposes or 3) disrupt strategic command and control messages from the president to U.S. forces abroad. As in the case of protecting remote top secret military communication, all White House security measures implemented are not available for public consumption. So it is important to focus on general best practices to avoid being victimized (listed below).
IT professionals offer up the following basic solutions to avoid falling victim to spear fishing attacks: 1) Delete all suspicious email, 2) Contact IT system security with any question if unsure of a message's authenticity, 3) Immediately report all incidents, 4) Look for email digital signatures, 5) Configure Intrusion Detection Systems to block malicious domains and IP addresses and 6) Ensure antivirus software and definitions are up to date.
One advanced solution involves using network security tools that have access to all electronic communication. These "smart" security systems learn normal communication for each individual and recognize unusual email that may be suspicious. Challenges arise as IT professionals try to develop natural language algorithms like Phalanx (a new product developed by GTRI) which attempt to separate spear phishing attacks from harmless emails. Occasionally important electronic communication is lost because the algorithm labels the email an attack because the message's author encourages the recipient to "open the attached file" or "download the new software update." Two other more advanced solutions include administering mitigation countermeasures and maintaining a properly configured mal-ware detection program. A properly configured mal-ware detection program should prompt the user attempting to navigate to a questionable site to be sure the source is trustworthy. In many cases, this action will cause the user to navigate away from the suspicious site or once the link has been clicked, block the attack.
Acknowledgements and References Cited
http://www.globalsecurity.org/wmd/systems/nuclear-football.htm
http://freebeacon.com/white-house-hack-attack/
RSA Spear Phishing Attack + Zero Day Flaw
How to Dodge a Spear Phishing Attack
Christopher Plummer
04.11.13